Windows Firewall must be enabled on all profiles. ISATAP in the corporate network is not supported. If you are using ISATAP, you should remove it and use native IPv6.

Computers that are running the following operating systems are supported as DirectAccess clients:

Windows Server® 2012 R2

Windows 8.1 Enterprise

Windows Server® 2012

Windows 8 Enterprise

Windows Server® 2008 R2

Windows 7 Ultimate

Windows 7 Enterprise

Force tunnel configuration is not supported with KerbProxy authentication. Changing policies by using a feature other than the DirectAccess management console or Windows PowerShell cmdlets is not supported. Separating NAT64/DNS64 and IPHTTPS server roles on another server is not supported.

QUESTION 57

Your network contains an Active Directory forest. The forest contains two domains named contoso.com and fabrikam.com. All of the DNS servers in both of the domains run Windows Server 2012 R2.

The network contains two servers named Server1 and Server2. Server1 hosts an Active Directory-integrated zone for contoso.com. Server2 hosts an Active Directory-integrated zone for fabrikam.com. Server1 and Server2 connect to each other by using a WAN link.

Client computers that connect to Server1 for name resolution cannot resolve names in fabnkam.com.

You need to configure Server1 to support the resolution of names in fabnkam.com. The solution must ensure that users in contoso.com can resolve names in fabrikam.com if the WAN link fails.

What should you do on Server1?

A.

Create a stub zone.

B.

Add a forwarder.

C.

Create a secondary zone.

D.

Create a conditional forwarder.

Correct Answer: C

Explanation:

http://technet.microsoft.com/en-us/library/cc771898.aspx

When a zone that this DNS server hosts is a secondary zone, this DNS server is a secondary source for information about this zone. The zone at this server must be obtained from another remote DNS server computer that also hosts the zone With secondary, you have ability to resolve records from the other domain even if its DNS servers are temporarily unavailable

Whil

e secondary zones contain copies of all the resource records in the corresponding zone on the master name server, stub zones contain only three kinds of resource records:

A copy of the SOA record for the zone.

Copies of NS records for all name servers authoritative for the zone. Copies of A records for all name servers authoritative for the zone.

Your network contains two servers named Server1 and Server2. Both servers run Windows Server 2012 R2 and have the DNS Server server role installed.

On Server1, you create a standard primary zone named contoso.com.

You need to ensure that Server2 can host a secondary zone for contoso.com.

What should you do from Server1?

A.

Add Server2 as a name server.

B.

Create a trust anchor named Server2.

C.

Convert contoso.com to an Active Directory-integrated zone.

D.

Create a zone delegation that points to Server2.

Correct Answer: A

Explanation:

Typically, adding a secondary DNS server to a zone involves three steps:

1. On the primary DNS server, add the prospective secondary DNS server to the list of name servers that are authoritative for the zone.

2. On the primary DNS server, verify that the transfer settings for the zone permit the zone to be transferred to the prospective secondary DNS server.

3. On the prospective secondary DNS server, add the zone as a secondary zone.

You must add a new Name Server. To add a name server to the list of authoritative servers for the zone, you must specify both the server’s IP address and its DNS name. When entering names, click Resolve to resolve the name to its IP address prior to adding it to the list.

Secondary zones cannot be AD-integrated under any circumstances.

You want to be sure Server2 can host, you do not want to delegate a zone.

Secondary Domain Name System (DNS) servers help provide load balancing and fault tolerance. Secondary DNS servers maintain a read-only copy of zone data that is transferred periodically from the primary DNS server for the zone. You can configure DNS clients to query secondary DNS servers instead of (or in addition to) the primary DNS server for a zone, reducing demand on the primary server and ensuring that DNS queries for the zone will be answered even if the primary server is not available.

How-To: Configure a secondary DNS Server in Windows Server 2012

We need to tell our primary DNS that it is ok for this secondary DNS to pull information from it. Otherwise replication will fail and you will get this big red X.

Zones, navigate to your primary DNS zone, right-click on it and go to Properties.

Go to “Zone Transfers” tab, by default, for security reasons, the “Allow zone transfers: ” is un-checked to protect your DNS information. We need to allow zone transfers, if you value your DNS records, you do not want to select “To any server” but make sure you click on “Only to servers listed on the Name Servers tab”

Head over to the “Name Servers” tab, click Add

You will get “New Name Server Record” window, type in the name of your secondary DNS server. it is always better to validate by name not IP address to avoid future problems in case your IP addresses change. Once done, click OK.

You will see your secondary DNS server is now added to your name servers selection, click OK.

Now if you head back to to your secondary DNS server and refresh, the big red X will go away and your primary zone data will populate

Your secondary DNS is fully setup now. You can not make any DNS changes from your secondary DNS. Secondary DNS is a read-only DNS, Any DNS changes have to be done from the primary DNS.

Your network contains an Active Directory domain named contoso.com. The domain contains a Web server named www.contoso.com. The Web server is available on the Internet.

You implement DirectAccess by using the default configuration.

You need to ensure that users never attempt to connect to www.contoso.com by using DirectAccess. The solution must not prevent the users from using DirectAccess to access other resources in contoso.com.

Which settings should you configure in a Group Policy object (GPO)?

A.

DirectAccess Client Experience Settings

B.

DNS Client

C.

Name Resolution Policy

D.

Network Connections

Correct Answer: C

Explanation:

For DirectAccess, the NRPT must be configured with the namespaces of your intranet with a leading dot (for example, . internal.contoso.com or . corp.contoso.com). For a DirectAccess client, any name request that matches one of these namespaces will be sent to the specified intranet Domain Name System (DNS) servers.

Include all intranet DNS namespaces that you want DirectAccess client computers to access.

There are no command line methods for configuring NRPT rules. You must use Group Policy settings. To configure the NRPT through Group Policy, use the Group Policy add-in at Computer Configuration PoliciesWindows SettingsName Resolution Policy in the Group Policy object for DirectAccess clients. You can create a new NRPT rule and edit or delete existing rules. For more information, see Configure the NRPT with Group Policy.

QUESTION 60

Your network contains an Active Directory domain named contoso.com.

All user accounts for the marketing department reside in an organizational unit (OU) named OU1. All user accounts for the finance department reside in an organizational unit (OU) named OU2.

You create a Group Policy object (GPO) named GPO1. You link GPO1 to OU2. You configure the Group Policy preference of GPO1 to add a shortcut named Link1 to the desktop.

You discover that when a user signs in, the Link1 is not added to the desktop.

You need to ensure that when a user signs in, Link1 is added to the desktop.

What should you do?

A.

Enforce GPO1.

B.

Enable loopback processing in GPO1.

C.

Modify the Link1 shortcut preference of GPO1.

D.

Modify the Security Filtering settings of GPO1.

Correct Answer: D

Explanation:

Security filtering is a way of refining which users and computers will receive and apply the settings in a Group Policy object (GPO). Using security filtering, you can specify that only certain security principals within a container where the GPO is linked apply the GPO. Security group filtering determines whether the GPO as a whole applies to groups, users, or computers; it cannot be used selectively on different settings within a GPO.